Link to home
Start Free TrialLog in
Avatar of NytroZ
NytroZFlag for United States of America

asked on

VPN Routing issue

I have a Microsoft RRAS VPN setup for users to access from home.  The RRAS server has one interface connected in the DMZ(172.16.10.1) zone and another in teh internal LAN(192.168.100.x) of Juniper firewall A.  When connected users can access the resources in the LAN.  I also have a site to site vpn from one firewall to another.  Internal users from inside firewall A  can access resources inside firewall B.  The site to site is between two Juniper firewalls.  Teh problem I have now is when a remote user connects to the RRAS server he cannot connect to the resources on the other side of the site to site vpn.  He can only connect to the local resources.  Can I set up a route on the RRAS server to allow the remote vpn to access through the tunnel or is this something that needs to be done at the Juniper firewall?
Avatar of csg-unit
csg-unit
Flag of United States of America image

I would add a route in the RRAS server to point traffic for the network on the other side of the VPN to the firewall on the RRAS server's side of the VPN.  From there, the firewall should know to send the traffic over the tunnel.  You also want to make sure that the other side of the VPN has a route in place pointing the VPN user's subnet to the firewall on that side.  Also, make sure that that subnet of the remote VPN is included in the tunnel on both ends.
Avatar of Qlemo
Are the RRAS IP addresses from LAN A? I suppose the DMZ addresses are not visible to the user, just used for connecting Juniper and RRAS DMZ NIC.
Are you using a static RAS IP Pool, or DHCP? If latter, you can set up DHCP option 121 (generic classless routing) or 249 (Microsoft classless routing) to push the route to clients, and you should be set.

If RRAS uses a different network, things get more complicated ...
Avatar of NytroZ

ASKER

The RRAS server hands out IP via DHCP.  These IP's are on the same subnet as the local LAN.  I was previosly suing RRAS with a single NIC and did not have this issue.  Once I added teh second nic I was no longer able to access resources across the site to site vpn.  Can you clarify how the remote vpn clients route the traffic to the resources on teh site to site vpn? If I am a vpn user at home and connect to the RRAS server, I receive an IP address on the local LAN.  I am then able to access the LAN resources.  If I want to access resources on the site to site I would send to the dg which is the firewall that has a route setup to send through the tunnel that was created.  Why cant the vpn users send traffic to the firewall as well?  Where do they send traffic that is not on teh local subnet?  Isn't there a check mark that says "use default gateway of remote network"?  Where is teh DHCP option to set up optoin 121 or 249?
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NytroZ

ASKER

The RRAS addresses are handed out from teh same DHCP scope as our internal workstations are.  A trace from a vpn client to Site B does not even resolve to the first hop.  You can see in the attched file that I can get to the Local LAN at 192.168.100.x but when I try to access teh resource at site B at 192.168.20.x it fails.  I also have a screenshot of the routing table on the RRAS server.  If I need to create a route, where would I create it at and what would it consist of?
routing.docx
I'll need some more info about your IP addresses:
I assume Juniper is 192.168.100.100,
and RRAS 192.168.100.240 (RAS IP) resp. 192.168.100.228 (real IP).

That you can't get any info by tracerouting to 192.168.20.80 tells me that either the default gateway is not set correctly, or the RRAS has a firewall running disallowing traffic for 192.168.20.x. What is the default gateway for RAS (on client)?
The issue seems to be unresolved (and should not be closed by accepting a post then). Did my answer really help? If so, please post the reason it did not work, so others can find the solution.